为阿里云云产品配置访问ACK集群的RBAC权限_容器服务 Kubernetes 版 ACK(ACK)-阿里云帮助中心

ACK支持基于Kubernetes原生的RBAC（Role-Based Access Control）授权机制。RBAC授权支持为不同用户赋予同一集群内的Kubernetes资源不同的操作权限。其他阿里云产品访问ACK集群时，您可以为云服务绑定指定的RBAC角色，使得相关云服务通过服务角色所对应的RBAC权限访问集群内部资源，从而实现集群资源权限的隔离和权限最小化。

注意事项

默认情况下，ACK集群不会主动创建云服务RBAC角色，只有在您授权相关云产品的服务角色并使用云服务指定功能时，由相关云服务触发创建RBAC角色及授权绑定操作。
云产品指定的RBAC角色绑定名称格式固定为：${服务英文缩写}-${服务角色名称}-clusterrolebinding 或 ${服务英文缩写}-${服务角色名称}-rolebinding。
本文提供的RBAC角色仅用于云产品指定功能的最小化权限访问，不会影响您正常业务的RBAC授权。
您可以开启集群API Server审计日志，并在审计日志中根据RBAC角色绑定的subjects字段确定绑定的对象名称，然后通过对象名称检索指定云产品对集群内资源访问的审计日志。具体操作，请参见使用集群API Server审计功能。

云产品服务角色权限策略

当您为云产品授予下表中指定的云产品服务角色后，云产品默认会根据表格中服务角色对应的RBAC权限访问容器服务ACK集群的资源。

说明

下表中，权限作用范围列表示该权限生效的范围，可能为集群级别（cluster）或命名空间级别（namespace）。

自定义云产品访问ACK集群的RBAC权限

如果您需要自定义阿里云产品对ACK集群资源的操作权限，可通过配置指定阿里云产品在集群中对应的ClusterRole实现。您需要在ClusterRole中添加Annotation inner.service.alibabacloud.com/user-customized: true，并在rules字段下自定义权限策略。示例如下。

重要

对指定RBAC角色的自定义修改可能会影响对应云产品相关功能的正常使用，具体影响请提交工单咨询对应云产品的技术支持人员。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    inner.service.alibabacloud.com/user-customized: true
  name: test-aliyunserviceroleforarms-clusterrole
rules:
- apiGroups:
  - test
  resources:
  - '*'
  verbs:
  - '*'
...

配置禁止云产品访问ACK集群的权限

参见自定义云产品访问ACK集群的RBAC权限，在指定云产品对应的ClusterRole中增加Annotation inner.service.alibabacloud.com/user-customized: true ，同时删除rules字段下所有权限，即可清除云产品对ACK集群的所有访问权限。
在RAM控制台上删除云产品对应的RAM服务角色，也可以禁止该云产品对ACK集群进行访问。具体操作，请参见删除RAM角色。

云产品	服务角色名称	权限作用范围	RBAC权限策略
应用实时监控服务ARMS	arms-aliyunserviceroleforarms-clusterrolebinding	cluster	arms-aliyunserviceroleforarms-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: arms-aliyunserviceroleforarms-clusterrole rules: - apiGroups: ["vector.oam.dev"] resources: [""] verbs: [""] - apiGroups: ["o11y.aliyun.dev"] resources: [""] verbs: [""] - apiGroups: [""] resources: ["pods","replicationcontrollers","podtemplates", "nodes", "services","events","persistentvolumes","persistentvolumeclaims","componentstatuses","bindings", "namespaces","endpoints", "configmaps", "secrets", "resourcequotas", "serviceaccounts","pods/log","services/proxy"] verbs: [""] - apiGroups: [""] resources: ["nodes/metrics"] verbs: ["get"] - apiGroups: [""] resources: ["limitranges"] verbs: ["list", "watch"] - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] verbs: ["get", "list", "watch"] - apiGroups: ["extensions"] resources: ["ingresses"] verbs: ["list", "watch"] - apiGroups: ["batch"] resources: ["cronjobs", "jobs"] verbs: ["list", "watch"] - apiGroups: ["autoscaling"] resources: ["horizontalpodautoscalers"] verbs: ["list", "watch"] - apiGroups: ["policy"] resources: ["poddisruptionbudgets"] verbs: ["list", "watch"] - apiGroups: ["certificates.k8s.io"] resources: ["certificatesigningrequests"] verbs: ["list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses","volumeattachments"] verbs: ["get", "list", "watch"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "list", "watch"] - apiGroups: ["apps","extensions"] resources: ["deployments", "daemonsets", "statefulsets","replicasets","networkpolicies"] verbs: [""] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: [""] - apiGroups: ["monitoring.coreos.com"] resources: ["alertmanagers","podmonitors","prometheuses","prometheuses/finalizers","alertmanagers/finalizers","servicemonitors","prometheusrules","probes"] verbs: [""] - apiGroups: ["monitor.aliyun.com"] resources: ["alicloudpromrules","alicloudpromrules/status"] verbs: [""] - apiGroups: ["rbac.authorization.k8s.io"] resources: ["rolebindings","roles","clusterroles","clusterrolebindings"] verbs: [""] - apiGroups: ["networking.k8s.io"] resources: ["networkpolicies","ingresses","ingressclasses"] verbs: [""] - apiGroups: ["apps.kruise.io"] resources: ["statefulsets"] verbs: [""] - apiGroups: ["nsm.alibabacloud.com"] resources: ["networkservices"] verbs: [""] - nonResourceURLs: - "/metrics" verbs: - get - apiGroups: [""] resources: ["serviceaccounts/token"] verbs: ["create"] - apiGroups: ["log.alibabacloud.com"] resources: [""] verbs: [""] - apiGroups: ["telemetry.alibabacloud.com"] resources: [""] verbs: ["*"] - apiGroups: ["discovery.k8s.io"] resources: ["endpointslices"] verbs: ["get", "list", "watch"]
开源大数据开发平台E-MapReduce	emr-aliyunemronackdefaultrole-clusterrolebinding	cluster	emr-aliyunemronackdefaultrole-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: emr-aliyunemronackdefaultrole-clusterrole rules: - apiGroups: [""] resources: ["pods", "nodes", "services", "namespaces", "endpoints", "configmaps", "secrets", "resourcequotas", "serviceaccounts","persistentvolumes","persistentvolumeclaims"] verbs: [""] - apiGroups: ["apps"] resources: ["deployments", "daemonsets", "statefulsets"] verbs: [""] - apiGroups: ["extensions"] resources: ["ingresses"] verbs: [""] - apiGroups: ["networking.k8s.io"] resources: ["ingresses"] verbs: [""] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: [""] - apiGroups: ["rbac.authorization.k8s.io"] resources: ["clusterroles", "clusterrolebindings", "roles", "rolebindings"] verbs: [""] - apiGroups: ["sparkoperator.k8s.io"] resources: [""] verbs: [""] - apiGroups: ["flink.apache.org"] resources: [""] verbs: [""]
阿里云云安全中心	sas-aliyunserviceroleforsas-clusterrolebinding	cluster	sas-aliyunserviceroleforsas-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: sas-aliyunserviceroleforsas-clusterrole rules: - apiGroups: [""] resources: ["secrets"] verbs: ["create"] - apiGroups: [""] resources: ["secrets"] resourceNames: ["policygovernance-yundun-config"] verbs: ["get", "update", "patch"] - apiGroups: [""] resources: ["services","pods"] verbs: ["list"] - apiGroups: ["extensions"] resources: ["ingresses"] verbs: ["list"] - apiGroups: ["networking.k8s.io"] resources: ["ingresses"] verbs: ["list"]
云数据库Tair	tair-aliyunserviceroleforkvstore-clusterrolebinding	cluster	tair-aliyunserviceroleforkvstore-clusterrole `apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: tair-aliyunserviceroleforkvstore-clusterrole rules: - apiGroups: - "" resources: - nodes verbs: - get - list - apiGroups: - admissionregistration.k8s.io resources: - validatingwebhookconfigurations - mutatingwebhookconfigurations verbs: - get - list`
云数据库Tair	tair-aliyunserviceroleforkvstore-clusterrolebinding	ack-tair namespace	tair-aliyunserviceroleforkvstore-role apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: tair-aliyunserviceroleforkvstore-role namespace: ack-tair rules: - apiGroups: - batch resources: - jobs verbs: - get - list - create - delete - apiGroups: - "" resources: - events verbs: - create - patch - get - list - apiGroups: - apps resources: - statefulsets verbs: - create - delete - get - list - patch - update - apiGroups: - apps resources: - deployments verbs: - create - delete - get - list - patch - update - apiGroups: - "" resources: - configmaps verbs: - create - delete - get - list - patch - update - apiGroups: - "" resources: - pods verbs: - create - delete - get - list - patch - update - apiGroups: - "" resources: - pods/exec - pods/portforward - pods/proxy verbs: - create - get - apiGroups: - "" resources: - services verbs: - create - delete - get - list - patch - update - apiGroups: - "" resources: - services/proxy verbs: - create - get - apiGroups: - tair.alibabacloud.com resources: - tairclusters verbs: - create - delete - get - list - patch - update - watch - apiGroups: - tair.alibabacloud.com resources: - tairclusters/finalizers verbs: - update - apiGroups: - tair.alibabacloud.com resources: - tairclusters/status verbs: - get - patch - update - apiGroups: - "" resources: - persistentvolumeclaims verbs: - create - delete - get - list - patch - update - apiGroups: - "" resources: - persistentvolumeclaims/status verbs: - get - apiGroups: - scheduling.sigs.k8s.io resources: - reserveresourcesets verbs: - create - delete - get - list - patch - update - watch
企业级分布式应用服务EDAS	edas-aliyunedasdefaultrole-clusterrolebinding	cluster	edas-aliyunedasdefaultrole-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: edas-aliyunedasdefaultrole-clusterrole rules: - apiGroups: [ "" ] resources: [ "nodes", "nodes/stats" ] verbs: [ "get", "list", "watch" ] - apiGroups: [ "" ] resources: [ "pods", "pods/exec", "pods/log", "pods/status", "limitranges", "services", "services/proxy", "namespaces", "endpoints", "configmaps", "secrets", "bindings", "resourcequotas", "serviceaccounts", "componentstatuses", "events", "persistentvolumeclaims", "persistentvolumes", "replicationcontrollers","podtemplates" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "apps" ] resources: [ "deployments","daemonsets","statefulsets","replicasets","deployments/scale","statefulsets/scale","statefulsets/status","deployments/status","controllerrevisions" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "extensions" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: ["batch"] resources: [""] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["apiregistration.k8s.io"] resources: [""] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["rbac.authorization.k8s.io"] resources: [""] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [ "events.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: ["apiextensions.k8s.io"] resources: [""] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["edas.aliyun.oam.com"] resources: [""] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["autoscaling"] resources: [""] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: ["oam-domain.alibabacloud.com" ] resources: [""] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["core.oam.dev"] resources: [""] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["flagger.app"] resources: [""] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [ "keda.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "log.alibabacloud.com" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "clm.cloudnativeapp.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "monitoring.coreos.com" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "admissionregistration.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "extension.oam.dev" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "authentication.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: ["discovery.k8s.io"] resources: [""] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [ "networking.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "scheduling.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "scheduling.sigs.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "snapshot.storage.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "storage.alibabacloud.com" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "storage.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "certificates.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "flowcontrol.apiserver.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "policy" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "authorization.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "external.metrics.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - nonResourceURLs: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "keda.sh" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "alibabacloud.com" ] resources: [ "albconfigs" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "autoscaling.alibabacloud.com" ] resources: [ "advancedhorizontalpodautoscalers" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "metrics.alibabacloud.com" ] resources: [ "" ] verbs: [ "get", "list", "watch" ] - apiGroups: [ "metrics.k8s.io" ] resources: [ "pods","nodes" ] verbs: [ "get", "list", "watch" ] - apiGroups: [ "coordination.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "apps.kruise.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "edas.alibabacloud.com" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "istio.aliyun.cloud.com" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "nacos.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
云数据库RDS	aliyunmybasecpaasdefaultrole-clusterrolebinding	cluster	rds-aliyunmybasecpaasdefaultrole-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: rds-aliyunmybasecpaasdefaultrole-clusterrole rules: - apiGroups: - '' resources: - nodes - namespaces - resourcequotas - limitranges - nodes/metrics - replicationcontrollers - nodes/proxy verbs: - list - get - watch - apiGroups: - '' resources: - services - configmaps - secrets - pods - pods/log - pods/exec - endpoints - persistentvolumes - persistentvolumeclaims - events verbs: - '' - apiGroups: - '' resources: - serviceaccounts verbs: - list - get - watch - create - apiGroups: - '' resourceNames: - mybase-operator - polardbx-operator - pre-install-kibana-kibana - filebeat-filebeat - post-delete-kibana-kibana resources: - serviceaccounts verbs: - '' - apiGroups: - '' resources: - namespaces verbs: - patch - list - create - watch - get - apiGroups: - coordination.k8s.io resources: - leases verbs: - '' - apiGroups: - apps resources: - deployments - daemonsets - statefulsets - controllerrevisions - replicasets verbs: - '' - apiGroups: - apps resourceNames: - filebeat-filebeat - logstash-logstash - kibana-kibana - elasticsearch-master resources: - deployments - daemonsets - statefulsets - replicasets verbs: - '' - apiGroups: - batch resources: - jobs - cronjobs verbs: - '' - apiGroups: - extensions resources: - ingresses verbs: - list - get - watch - apiGroups: - extensions resources: - deployments - daemonsets - statefulsets - controllerrevisions - replicasets verbs: - '' - apiGroups: - networking.k8s.io resources: - ingresses verbs: - list - get - watch - apiGroups: - events.k8s.io resources: - events verbs: - '' - apiGroups: - rbac.authorization.k8s.io resources: - clusterroles - clusterrolebindings - roles - rolebindings verbs: - list - get - watch - create - apiGroups: - rbac.authorization.k8s.io resourceNames: - mybase-operator - polardbx-operator - polardbx-controller-manager - mybase-monitoring - filebeat-filebeat-role - filebeat-filebeat-role-binding - filebeat-filebeat-cluster-role - filebeat-filebeat-cluster-role-binding - pre-install-kibana-kibana - post-delete-kibana-kibana resources: - clusterroles - clusterrolebindings - roles - rolebindings verbs: - '' - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - list - get - watch - create - apiGroups: - apiextensions.k8s.io resourceNames: - mybaseappinstancebackuppolicies.apps.k8s.mybase.aliyun.com - mybaseappdefinitions.apps.k8s.mybase.aliyun.com - mybaseappinstanceops.apps.k8s.mybase.aliyun.com - mybaseappinstances.apps.k8s.mybase.aliyun.com - polardbxbackupbinlogs.polardbx.aliyun.com - polardbxbackups.polardbx.aliyun.com - polardbxbackupschedules.polardbx.aliyun.com - polardbxclusterknobs.polardbx.aliyun.com - polardbxclusters.polardbx.aliyun.com - polardbxlogcollectors.polardbx.aliyun.com - polardbxmonitors.polardbx.aliyun.com - polardbxparameters.polardbx.aliyun.com - polardbxparametertemplates.polardbx.aliyun.com - systemtasks.polardbx.aliyun.com - xstorebackups.polardbx.aliyun.com - xstorefollowers.polardbx.aliyun.com - xstores.polardbx.aliyun.com resources: - customresourcedefinitions verbs: - '' - apiGroups: - monitoring.coreos.com resources: - '' verbs: - '' - apiGroups: - apps.k8s.mybase.aliyun.com resources: - '' verbs: - '' - apiGroups: - polardbx.aliyun.com resources: - '' verbs: - '' - apiGroups: - v1.admission.polardbx.aliyun.com resources: - '' verbs: - '' - apiGroups: - apiregistration.k8s.io resources: - apiservices verbs: - list - get - watch - create - apiGroups: - apiregistration.k8s.io resourceNames: - v1.admission.polardbx.aliyun.com resources: - apiservices verbs: - '' - apiGroups: - admissionregistration.k8s.io resources: - mutatingwebhookconfigurations - validatingwebhookconfigurations verbs: - list - get - watch - create - apiGroups: - admissionregistration.k8s.io resourceNames: - polardbxcluster-mutate.polardbx.aliyun.com - polardbxcluster-validate.polardbx.aliyun.com resources: - mutatingwebhookconfigurations - validatingwebhookconfigurations verbs: - '*' - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - list - get - watch - apiGroups: - policy resources: - poddisruptionbudgets verbs: - update - delete - patch - create - list - get - watch - nonResourceURLs: - /metrics verbs: - get
云监控	aliyunserviceroleforcloudmonitor-clusterrolebinding	cluster	cloudmonitor-aliyunserviceroleforcloudmonitor-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cloudmonitor-aliyunserviceroleforcloudmonitor-clusterrole rules: - apiGroups: ["vector.oam.dev"] resources: [""] verbs: [""] - apiGroups: ["o11y.aliyun.dev"] resources: [""] verbs: [""] - apiGroups: [""] resources: ["pods","replicationcontrollers","podtemplates", "nodes", "services","events","persistentvolumes","persistentvolumeclaims","componentstatuses","bindings", "namespaces","endpoints", "configmaps", "secrets", "resourcequotas", "serviceaccounts","pods/log","services/proxy"] verbs: [""] - apiGroups: [""] resources: ["nodes/metrics"] verbs: ["get"] - apiGroups: [""] resources: ["limitranges"] verbs: ["list", "watch"] - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] verbs: ["get", "list", "watch"] - apiGroups: ["extensions"] resources: ["ingresses"] verbs: ["list", "watch"] - apiGroups: ["batch"] resources: ["cronjobs", "jobs"] verbs: ["list", "watch"] - apiGroups: ["autoscaling"] resources: ["horizontalpodautoscalers"] verbs: ["list", "watch"] - apiGroups: ["policy"] resources: ["poddisruptionbudgets"] verbs: ["list", "watch"] - apiGroups: ["certificates.k8s.io"] resources: ["certificatesigningrequests"] verbs: ["list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses","volumeattachments"] verbs: ["get", "list", "watch"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "list", "watch"] - apiGroups: ["apps","extensions"] resources: ["deployments", "daemonsets", "statefulsets","replicasets","networkpolicies"] verbs: [""] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: [""] - apiGroups: ["monitoring.coreos.com"] resources: ["alertmanagers","podmonitors","prometheuses","prometheuses/finalizers","alertmanagers/finalizers","servicemonitors","prometheusrules","probes"] verbs: [""] - apiGroups: ["monitor.aliyun.com"] resources: ["alicloudpromrules","alicloudpromrules/status"] verbs: [""] - apiGroups: ["rbac.authorization.k8s.io"] resources: ["rolebindings","roles","clusterroles","clusterrolebindings"] verbs: [""] - apiGroups: ["networking.k8s.io"] resources: ["networkpolicies","ingresses","ingressclasses"] verbs: [""] - apiGroups: ["apps.kruise.io"] resources: ["statefulsets"] verbs: [""] - apiGroups: ["nsm.alibabacloud.com"] resources: ["networkservices"] verbs: [""] - nonResourceURLs: - "/metrics" verbs: - get - apiGroups: [""] resources: ["serviceaccounts/token"] verbs: ["create"] - apiGroups: ["log.alibabacloud.com"] resources: [""] verbs: [""] - apiGroups: ["telemetry.alibabacloud.com"] resources: [""] verbs: ["*"]
微服务引擎MSE	mse-aliyunserviceroleformse-clusterrolebinding	cluster	mse-aliyunserviceroleformse-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: mse-aliyunserviceroleformse-clusterrole rules: # base - apiGroups: [""] resources: ["pods", "nodes", "services", "namespaces", "endpoints", "secrets", "configmaps"] verbs: ["get", "watch", "list"] - apiGroups: ["discovery.k8s.io"] resources: ["endpointslices"] verbs: ["get", "list", "watch"] # ingress - apiGroups: ["networking.k8s.io"] resources: ["ingresses", "ingressclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["networking.k8s.io"] resources: ["ingresses/status"] verbs: [""] # Use for Kubernetes Service APIs - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] resources: [""] verbs: ["get", "watch", "list"] - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] resources: [""] verbs: [""] # CRD - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch"] # istio - apiGroups: ["networking.istio.io"] verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] resources: [ "workloadentries" ] - apiGroups: ["networking.istio.io"] verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] resources: [ "workloadentries/status" ] # demo - apiGroups: [""] resources: ["services", "namespaces"] verbs: ["get", "list", "watch", "create"] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "list", "watch", "create"]
微服务引擎MSE	mse-aliyunserviceroleformsediagnosis-clusterrolebinding	cluster	mse-aliyunserviceroleformsediagnosis-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: mse-aliyunserviceroleformsediagnosis-clusterrole rules: # base - apiGroups: [ "" ] resources: [ "nodes", "nodes/stats" ] verbs: [ "get", "watch" ] - apiGroups: [ "" ] resources: [ "pods", "pods/exec", "pods/log", "pods/status", "services", "services/proxy", "namespaces", "endpoints", "configmaps", "componentstatuses", "events","podtemplates" ] verbs: [ "get", "watch", "create"] - apiGroups: [ "apps" ] resources: [ "deployments","daemonsets","statefulsets","replicasets","statefulsets/status","deployments/status" ] verbs: [ "get", "watch", "create"]
API网关	apig-aliyunservicerolefornativeapigw-clusterrolebinding	cluster	apig-aliyunservicerolefornativeapigw-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: apig-aliyunservicerolefornativeapigw-clusterrole rules: # base - apiGroups: [""] resources: ["pods", "nodes", "services", "namespaces", "endpoints", "secrets", "configmaps"] verbs: ["get", "watch", "list"] - apiGroups: ["discovery.k8s.io"] resources: ["endpointslices"] verbs: ["get", "list", "watch"] # ingress - apiGroups: ["networking.k8s.io"] resources: ["ingresses", "ingressclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["networking.k8s.io"] resources: ["ingresses/status"] verbs: [""] # Use for Kubernetes Service APIs - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] resources: [""] verbs: ["get", "watch", "list"] - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] resources: [""] verbs: [""] # CRD - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch"] # istio - apiGroups: ["networking.istio.io"] verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] resources: [ "workloadentries" ] - apiGroups: ["networking.istio.io"] verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] resources: [ "workloadentries/status" ] # demo - apiGroups: [""] resources: ["services", "namespaces"] verbs: ["get", "list", "watch", "create"] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "list", "watch", "create"]
日志服务SLS	sls-aliyunserviceroleforslsaudit-clusterrolebinding	cluster	sls-aliyunserviceroleforslsaudit-role `apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: sls-aliyunserviceroleforslsaudit-role rules: - apiGroups: - "" resources: - "" verbs: - get - list - watch - apiGroups: - "*" resources: - namespaces - deployments - serviceaccounts - clusterroles - clusterrolebindings - daemonsets - services - aliyunlogconfigs verbs: - create - patch - delete - nonResourceURLs: - /metrics verbs: - get`
检索分析服务Elasticsearch版	elasticsearch-aliyunserviceroleforelasticsearchcollector-rolebinding	captain-system namespace	elasticsearch-aliyunserviceroleforelasticsearchcollector-role apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: elasticsearch-aliyunserviceroleforelasticsearchcollector-role namespace: captain-system rules: - apiGroups: - "" resources: - pods/attach - pods/exec - pods/portforward - pods/proxy - secrets - services/proxy verbs: - get - list - watch - apiGroups: - "" resources: - serviceaccounts verbs: - impersonate - apiGroups: - "" resources: - pods - pods/attach - pods/exec - pods/portforward - pods/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - "" resources: - configmaps - endpoints - persistentvolumeclaims - replicationcontrollers - replicationcontrollers/scale - secrets - serviceaccounts - services - services/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - apps resources: - daemonsets - deployments - deployments/rollback - deployments/scale - replicasets - replicasets/scale - statefulsets - statefulsets/scale verbs: - create - delete - deletecollection - patch - update - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - create - delete - deletecollection - patch - update - apiGroups: - batch resources: - cronjobs - jobs verbs: - create - delete - deletecollection - patch - update - apiGroups: - extensions resources: - daemonsets - deployments - deployments/rollback - deployments/scale - ingresses - networkpolicies - replicasets - replicasets/scale - replicationcontrollers/scale verbs: - create - delete - deletecollection - patch - update - apiGroups: - policy resources: - poddisruptionbudgets verbs: - create - delete - deletecollection - patch - update - apiGroups: - networking.k8s.io resources: - ingresses - networkpolicies verbs: - create - delete - deletecollection - patch - update - apiGroups: - "" resources: - configmaps - endpoints - persistentvolumeclaims - persistentvolumeclaims/status - pods - replicationcontrollers - replicationcontrollers/scale - serviceaccounts - services - services/status verbs: - get - list - watch - apiGroups: - "" resources: - bindings - events - limitranges - namespaces/status - pods/log - pods/status - replicationcontrollers/status - resourcequotas - resourcequotas/status verbs: - get - list - watch - apiGroups: - "" resources: - namespaces verbs: - get - list - watch - apiGroups: - apps resources: - controllerrevisions - daemonsets - daemonsets/status - deployments - deployments/scale - deployments/status - replicasets - replicasets/scale - replicasets/status - statefulsets - statefulsets/scale - statefulsets/status verbs: - get - list - watch - apiGroups: - autoscaling resources: - horizontalpodautoscalers - horizontalpodautoscalers/status verbs: - get - list - watch - apiGroups: - batch resources: - cronjobs - cronjobs/status - jobs - jobs/status verbs: - get - list - watch - apiGroups: - extensions resources: - daemonsets - daemonsets/status - deployments - deployments/scale - deployments/status - ingresses - ingresses/status - networkpolicies - replicasets - replicasets/scale - replicasets/status - replicationcontrollers/scale verbs: - get - list - watch - apiGroups: - policy resources: - poddisruptionbudgets - poddisruptionbudgets/status verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - ingresses - ingresses/status - networkpolicies verbs: - get - list - watch - apiGroups: - authorization.k8s.io resources: - localsubjectaccessreviews verbs: - create - apiGroups: - rbac.authorization.k8s.io resources: - rolebindings - roles verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - app.alauda.io resources: - helmrequests verbs: - create - delete - deletecollection - get - list - patch - update - watch
	elasticsearch-aliyunserviceroleforelasticsearchcollector-rolebinding	logging namespace	elasticsearch-aliyunserviceroleforelasticsearchcollector-role apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: elasticsearch-aliyunserviceroleforelasticsearchcollector-role namespace: logging rules: - apiGroups: - "" resources: - pods/attach - pods/exec - pods/portforward - pods/proxy - secrets - services/proxy verbs: - get - list - watch - apiGroups: - "" resources: - serviceaccounts verbs: - impersonate - apiGroups: - "" resources: - pods - pods/attach - pods/exec - pods/portforward - pods/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - "" resources: - configmaps - endpoints - persistentvolumeclaims - replicationcontrollers - replicationcontrollers/scale - secrets - serviceaccounts - services - services/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - apps resources: - daemonsets - deployments - deployments/rollback - deployments/scale - replicasets - replicasets/scale - statefulsets - statefulsets/scale verbs: - create - delete - deletecollection - patch - update - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - create - delete - deletecollection - patch - update - apiGroups: - batch resources: - cronjobs - jobs verbs: - create - delete - deletecollection - patch - update - apiGroups: - extensions resources: - daemonsets - deployments - deployments/rollback - deployments/scale - ingresses - networkpolicies - replicasets - replicasets/scale - replicationcontrollers/scale verbs: - create - delete - deletecollection - patch - update - apiGroups: - policy resources: - poddisruptionbudgets verbs: - create - delete - deletecollection - patch - update - apiGroups: - networking.k8s.io resources: - ingresses - networkpolicies verbs: - create - delete - deletecollection - patch - update - apiGroups: - "" resources: - configmaps - endpoints - persistentvolumeclaims - persistentvolumeclaims/status - pods - replicationcontrollers - replicationcontrollers/scale - serviceaccounts - services - services/status verbs: - get - list - watch - apiGroups: - "" resources: - bindings - events - limitranges - namespaces/status - pods/log - pods/status - replicationcontrollers/status - resourcequotas - resourcequotas/status verbs: - get - list - watch - apiGroups: - "" resources: - namespaces verbs: - get - list - watch - apiGroups: - apps resources: - controllerrevisions - daemonsets - daemonsets/status - deployments - deployments/scale - deployments/status - replicasets - replicasets/scale - replicasets/status - statefulsets - statefulsets/scale - statefulsets/status verbs: - get - list - watch - apiGroups: - autoscaling resources: - horizontalpodautoscalers - horizontalpodautoscalers/status verbs: - get - list - watch - apiGroups: - batch resources: - cronjobs - cronjobs/status - jobs - jobs/status verbs: - get - list - watch - apiGroups: - extensions resources: - daemonsets - daemonsets/status - deployments - deployments/scale - deployments/status - ingresses - ingresses/status - networkpolicies - replicasets - replicasets/scale - replicasets/status - replicationcontrollers/scale verbs: - get - list - watch - apiGroups: - policy resources: - poddisruptionbudgets - poddisruptionbudgets/status verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - ingresses - ingresses/status - networkpolicies verbs: - get - list - watch - apiGroups: - authorization.k8s.io resources: - localsubjectaccessreviews verbs: - create - apiGroups: - rbac.authorization.k8s.io resources: - rolebindings - roles verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - app.alauda.io resources: - helmrequests - releases verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - elasticsearch.kubernetes.aliyun.com resources: - logcollectors - indexlifecyclebindings - indexlifecyclepolicies verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - beat.kubernetes.aliyun.com resources: - beats verbs: - create - delete - deletecollection - get - list - patch - update - watch
	elasticsearch-aliyunserviceroleforelasticsearchcollector-clusterrolebinding	cluster	elasticsearch-aliyunserviceroleforelasticsearchcollector-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: elasticsearch-aliyunserviceroleforelasticsearchcollector-clusterrole rules: - apiGroups: [""] resources: ["pods", "nodes", "services", "namespaces", "endpoints", "configmaps", "secrets"] verbs: ["get", "list", "watch", "patch", "update", "create"] - apiGroups: ["apps"] resources: ["replicasets"] verbs: ["get", "list", "watch"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["app.alauda.io"] resources: ["helmrequests"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
人工智能平台PAI	pai-aliyunpaidlcdefaultrole-clusterrolebinding	cluster	pai-aliyunpaidlcdefaultrole-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: pai-aliyunpaidlcdefaultrole-clusterrole rules: - apiGroups: [ "" ] resources: [ "secrets", "secrets/status", "services", "namespaces", "endpoints", "serviceaccounts", "configmaps/status", "persistentvolumes", "persistentvolumes/status", "events", "events/status", "persistentvolumeclaims", "pods", "pods/log", "replicationcontrollers", "bindings", "limitranges", "pods/attach", "pods/exec", "pods/portforward", "pods/proxy", "services/proxy"] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "" ] resources: [ "serviceaccounts" ] verbs: [ "impersonate" ] - apiGroups: [ "" ] resources: [ "configmaps", "pods", "services", "secrets", "endpoints", "configmaps" ] verbs: [ "" ] - apiGroups: [ "" ] resources: [ "pods/status","pods/binding", "namespaces/status", "persistentvolumeclaims/status", "replicationcontrollers/scale", "replicationcontrollers/status", "resourcequotas", "resourcequotas/status", "services/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "" ] resources: [ "nodes", "nodes/status" ] verbs: [ "create", "delete", "update", "get", "list", "watch", "patch", "deletecollection" ] - apiGroups: [ "apps" ] resources: [ "statefulsets", "daemonsets", "deployments", "controllerrevisions", "replicasets" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "apps" ] resources: [ "statefulsets/status", "daemonsets/status", "deployments/scale", "deployments/status", "replicasets/scale", "replicasets/status", "statefulsets/scale", "deployments/rollback" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "rbac.authorization.k8s.io" ] resources: [ "clusterrolebindings", "clusterroles", "roles", "roles/status", "rolebindings", "rolebindings/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "authentication.k8s.io" ] resources: [ "tokenreviews" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "authorization.k8s.io" ] resources: [ "subjectaccessreviews" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "admissionregistration.k8s.io" ] resources: [ "mutatingwebhookconfigurations", "validatingwebhookconfigurations" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "networking.k8s.io" ] resources: [ "ingresses", "ingresses/status", "networkpolicies" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "apiextensions.k8s.io" ] resources: [ "customresourcedefinitions" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "batch" ] resources: [ "jobs", "cronjobs", "jobs/status", "cronjobs/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "batch/v1" ] resources: [ "jobs" ] verbs: [ "get", "create", "list", "watch", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "autoscaling" ] resources: [ "horizontalpodautoscalers", "horizontalpodautoscalers/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "coordination.k8s.io" ] resources: [ "leases", "leases/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "coordination.k8s.io" ] resources: [ "leases" ] verbs: [ "" ] - apiGroups: [ "data.fluid.io" ] resources: [ "datasets", "datasets/status", "jindoruntimes", "jindoruntimes/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "extensions" ] resources: [ "replicasets", "replicasets/status", "daemonsets", "daemonsets/status", "deployments", "deployments/scale", "deployments/status", "deployments/rollback", "ingresses", "ingresses/status", "networkpolicies", "replicasets/scale", "replicationcontrollers/scale" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "metrics.k8s.io" ] resources: [ "nodes", "pods" ] verbs: [ "get", "list", "watch" ] - apiGroups: [ "kubeflow.org" ] resources: [ "tfjobs", "pytorchjobs", "tfjobs/status", "pytorchjobs/status", "mpijobs", "mpijobs/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "xdl.kubedl.io" ] resources: [ "xdljobs", "xdljobs/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "xgboostjob.kubeflow.org" ] resources: [ "xgboostjobs", "xgboostjobs/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "events.k8s.io" ] resources: [ "events" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "policy" ] resources: [ "poddisruptionbudgets", "poddisruptionbudgets/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "apps.kruise.io" ] resources: [ "statefulsets" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "scheduling.alibabacloud.com" ] resources: [ "gpudevices", "allocgroups", "allocgroups/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "gputopology.kubedl.io" ] resources: [ "gputopologies" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "storage.k8s.io" ] resources: [ "storageclasses", "csinodes", "volumeattachments" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "scheduling.k8s.io" ] resources: [ "priorityclasses" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "scheduling.x-k8s.io" ] resources: [ "queueunits", "queueunits/status", "queues" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "scheduling.sigs.k8s.io" ] resources: [ "elasticquotatrees" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "certificates.k8s.io" ] resources: [ "certificatesigningrequests", "certificatesigningrequests/approval", "signers" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection", "approve" ] - apiGroups: [ "discovery.k8s.io" ] resources: [ "endpointslices" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "monitoring.coreos.com" ] resources: [ "servicemonitors" ] verbs: [ "get", "create", "list", "watch", "update", "patch", "delete", "deletecollection"] - apiGroups: [ "inference.kubedl.io" ] resources: [ "elasticbatchjobs", "elasticbatchjobs/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "gateway.solo.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "argoproj.io" ] resources: [ "clusterworkflowtemplates", "clusterworkflowtemplates/finalizers", "cronworkflows", "cronworkflows/finalizers", "workflows", "workflows/finalizers", "workflowtemplates", "workflowtemplates/finalizers" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "paiflow.alibaba-inc.com" ] resources: [ "clusterworkflowtemplates", "clusterworkflowtemplates/finalizers", "cronworkflows", "cronworkflows/finalizers", "workflows", "workflows/finalizers", "workflowtemplates", "workflowtemplates/finalizers", "workfloweventbindings", "workfloweventbindings/finalizers" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "dlc.alibaba.com" ] resources: [ "datasources", "datasources/status", "dlcinstanceresourcepatches", "dlcinstanceresourcepatches/status", "dlcinstances", "dlcinstances/status", "resourcegroups", "resourcegroups/status", "tensorboards", "tensorboards/status"] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "eas.alibaba-inc.k8s.io" ] resources: [ "resourcemigrations", "resourcemigrations/status", "tenantresources", "tenantresources/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "paiflow.pai.alibaba-inc.com" ] resources: [ "aiworkspaces" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "gloo.solo.io", "enterprise.gloo.solo.io", "graphql.gloo.solo.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "ratelimit.solo.io" ] resources: [ "ratelimitconfigs","ratelimitconfigs/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "dsw.alibaba.com" ] resources: [ "dswinstances", "dswinstances/status", "idleinstancecullers", "idleinstancecullers/status", "images", "images/status", "notebooks", "notebooks/status", "credentials", "credentials/status", "nasvolumes", "nasvolumes/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "training.pai.alibaba-inc.com" ] resources: [ "trainingjobs", "trainingjobs/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: ["scheduling.sigs.k8s.io"] resources: ["podgroups"] verbs: ["get", "delete"]
云原生应用组装平台	bizworks-aliyunserviceroleforbizworks-clusterrolebinding	cluster	该角色权限为最高权限，可安装任意Helm Chart。 bizworks-aliyunserviceroleforbizworks-clusterrole `apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: bizworks-aliyunserviceroleforbizworks-clusterrole rules: - apiGroups: - '' resources: - '' verbs: - '' - nonResourceURLs: - '' verbs: - '*'`